cockpit
cockpit copied to clipboard
cockpit-project
Accounts page shows only accounts of UID 1000 and higher
Page: accounts
It took me a while to figure this out. I had an account on a raspberry pi that was owned by home assistant.. and as per the instructions of installing home assistant core, it was setup with a UID of 999 and a GID of 998. well i couldnt figure out for the life of me why that account wouldnt show up under the accounts page. Couldnt find any reference to it.
Then i thought about the UID/GID and by chance i changed the UID from 999 to 1003 and all of the sudden it showed up.
So as a beginning it would be great to put a simple note on the accounts page that only users with UID of 1000 or higher show there... i assume this would be really easy to do. Second, it would be great to define a range lets say of UIDs that would show there.. or something that enables me to show specific accounts that may not be in the 1000 or higher range.
Indeed, we pick users with uid > 1000 or === 0 (for root). see here
We surely don't want to drop all accounts there by default
$ cat /etc/passwd | wc -l
63
while there are really just 6 of them that make any sense for me.
Workaround is rather simple - pick any random user, click on it, that leads you to https://localhost:9090/users#/foobar and then you can change foobar for the user name you want to see.
That of course is not something that normally users would discover or do.
Maybe we could add some toggle switch to show all accounts?
Maybe we could add some toggle switch to show all accounts?
We should not have a toggle for something like this.
Instead of just filtering by >= 1000, what if we filtered with other heuristics? For example: What if we also look for accounts with a home directory? Or what if we filted out anything with /usr/sbin/nologin?
Fedora Silverblue's /etc/passwd is pretty uninteresting. There are only two entries; one for root and one for the user.
On Red Hat Enterprise Linux 8.x, there are 40 entries on a workstation install.
Ubuntu's /etc/passwd has many more entries by default. Doing wc -l /etc/passwd on a default desktop Ubuntu install gives me 49 entries. On a local Debian server installation I have here (on a Raspberry Pi), I see 34.
Here's a table of the default /etc/passwd on Ubuntu (which I have installed on a VM, with just my own user account):
| id | pass | UID | GID | info | home | shell |
|---|---|---|---|---|---|---|
| root | x | 0 | 0 | root | /root | /bin/bash |
| daemon | x | 1 | 1 | daemon | /usr/sbin | /usr/sbin/nologin |
| bin | x | 2 | 2 | bin | /bin | /usr/sbin/nologin |
| sys | x | 3 | 3 | sys | /dev | /usr/sbin/nologin |
| sync | x | 4 | 65534 | sync | /bin | /bin/sync |
| games | x | 5 | 60 | games | /usr/games | /usr/sbin/nologin |
| man | x | 6 | 12 | man | /var/cache/man | /usr/sbin/nologin |
| lp | x | 7 | 7 | lp | /var/spool/lpd | /usr/sbin/nologin |
| x | 8 | 8 | /var/mail | /usr/sbin/nologin | ||
| news | x | 9 | 9 | news | /var/spool/news | /usr/sbin/nologin |
| uucp | x | 10 | 10 | uucp | /var/spool/uucp | /usr/sbin/nologin |
| proxy | x | 13 | 13 | proxy | /bin | /usr/sbin/nologin |
| www-data | x | 33 | 33 | www-data | /var/www | /usr/sbin/nologin |
| backup | x | 34 | 34 | backup | /var/backups | /usr/sbin/nologin |
| list | x | 38 | 38 | Mailing List Manager | /var/list | /usr/sbin/nologin |
| irc | x | 39 | 39 | ircd | /var/run/ircd | /usr/sbin/nologin |
| gnats | x | 41 | 41 | Gnats Bug-Reporting System (admin) | /var/lib/gnats | /usr/sbin/nologin |
| nobody | x | 65534 | 65534 | nobody | /nonexistent | /usr/sbin/nologin |
| systemd-network | x | 100 | 102 | systemd Network Management,,, | /run/systemd | /usr/sbin/nologin |
| systemd-resolve | x | 101 | 103 | systemd Resolver,,, | /run/systemd | /usr/sbin/nologin |
| systemd-timesync | x | 102 | 104 | systemd Time Synchronization,,, | /run/systemd | /usr/sbin/nologin |
| messagebus | x | 103 | 106 | /nonexistent | /usr/sbin/nologin | |
| syslog | x | 104 | 110 | /home/syslog | /usr/sbin/nologin | |
| _apt | x | 105 | 65534 | /nonexistent | /usr/sbin/nologin | |
| tss | x | 106 | 111 | TPM software stack,,, | /var/lib/tpm | /bin/false |
| uuidd | x | 107 | 114 | /run/uuidd | /usr/sbin/nologin | |
| tcpdump | x | 108 | 115 | /nonexistent | /usr/sbin/nologin | |
| avahi-autoipd | x | 109 | 116 | Avahi autoip daemon,,, | /var/lib/avahi-autoipd | /usr/sbin/nologin |
| usbmux | x | 110 | 46 | usbmux daemon,,, | /var/lib/usbmux | /usr/sbin/nologin |
| rtkit | x | 111 | 117 | RealtimeKit,,, | /proc | /usr/sbin/nologin |
| dnsmasq | x | 112 | 65534 | dnsmasq,,, | /var/lib/misc | /usr/sbin/nologin |
| cups-pk-helper | x | 113 | 120 | user for cups-pk-helper service,,, | /home/cups-pk-helper | /usr/sbin/nologin |
| speech-dispatcher | x | 114 | 29 | Speech Dispatcher,,, | /run/speech-dispatcher | /bin/false |
| avahi | x | 115 | 121 | Avahi mDNS daemon,,, | /var/run/avahi-daemon | /usr/sbin/nologin |
| kernoops | x | 116 | 65534 | Kernel Oops Tracking Daemon,,, | / | /usr/sbin/nologin |
| saned | x | 117 | 123 | /var/lib/saned | /usr/sbin/nologin | |
| nm-openvpn | x | 118 | 124 | NetworkManager OpenVPN,,, | /var/lib/openvpn/chroot | /usr/sbin/nologin |
| hplip | x | 119 | 7 | HPLIP system user,,, | /run/hplip | /bin/false |
| whoopsie | x | 120 | 125 | /nonexistent | /bin/false | |
| colord | x | 121 | 126 | colord colour management daemon,,, | /var/lib/colord | /usr/sbin/nologin |
| geoclue | x | 122 | 127 | /var/lib/geoclue | /usr/sbin/nologin | |
| pulse | x | 123 | 128 | PulseAudio daemon,,, | /var/run/pulse | /usr/sbin/nologin |
| gnome-initial-setup | x | 124 | 65534 | /run/gnome-initial-setup/ | /bin/false | |
| gdm | x | 125 | 130 | Gnome Display Manager | /var/lib/gdm3 | /bin/false |
| sssd | x | 126 | 131 | SSSD system user,,, | /var/lib/sss | /usr/sbin/nologin |
| garrett | x | 1000 | 1000 | Garrett,,, | /home/garrett | /bin/bash |
| systemd-coredump | x | 999 | 999 | systemd Core Dumper | / | /usr/sbin/nologin |
| cockpit-ws | x | 127 | 134 | /nonexisting | /usr/sbin/nologin | |
| cockpit-wsinstance | x | 128 | 135 | /nonexisting | /usr/sbin/nologin |
If I use grep on the file, in Ubuntu, I get something useful:
$ grep home /etc/passwd | grep -v nologin
garrett:x:1000:1000:Garrett,,,:/home/garrett:/bin/bash
The same grep comman happens to work on Debian, RHEL, and Fedora too. (I included Ubuntu as the test here, as I had a VM for it where copy/pasting worked.)
I'm not suggesting we simply grep /etc/passwd, but saying that we know which field is which and we must already parse it. We can see if home matches /root or home (assuming /home or /var/home) and discard entries if there's a nologin or false in the "shell".
If we wanted to ignore the presence of a home directory and only filter on shell, we could basically discard any that match one of the following: nologin, false, halt, shutdown, sync... but that gets a bet hacky as various commands that are not users would may also have random commands that have been added. It's not uncommon. This is why I suggested both a home directory and a shell that isn't nologin or false.
We could do something like this instead of UID >= 1000 or in addition to (taking care to not duplicate entries, of course). In addition to is probably the best approach, as then if someone wanted a user account with a non-standard home directory (not /home or /var/home), it would still work, provided it's UID >=1000.
Note for paths: On Ubuntu, it's /usr/sbin/nologin, on RHEL, it's /sbin/nologin.
Note for the home directory: /home and /root are the sandard places according to the Filesystem Hierarchy Standard (part of the Linux Standard Base) and /var/home is where Silverblue places home (with a symlink to home)
Oh, I just looked at the code and see we actually do the filtering out of nologin and false shells.
We don't check for a home directory however. Perhaps that's the solution? Home directory of /root, /home, /var/home or a UID >= 1000?
@u8915055: Does your user that had a UID of 999 have a home directory? If so, what is it?
FWIW, UID and GID has min and max set in /etc/login.defs:
$ grep -v \# /etc/login.defs | uniq
MAIL_DIR /var/spool/mail
UMASK 022
HOME_MODE 0700
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
UID_MIN 1000
UID_MAX 60000
SYS_UID_MIN 201
SYS_UID_MAX 999
SUB_UID_MIN 100000
SUB_UID_MAX 600100000
SUB_UID_COUNT 65536
GID_MIN 1000
GID_MAX 60000
SYS_GID_MIN 201
SYS_GID_MAX 999
SUB_GID_MIN 100000
SUB_GID_MAX 600100000
SUB_GID_COUNT 65536
ENCRYPT_METHOD YESCRYPT
USERGROUPS_ENAB yes
CREATE_HOME yes
HMAC_CRYPTO_ALGO SHA512